Elite Dental Associates, Dallas (“Elite”) has agreed to pay $10,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services and to adopt a corrective action plan to settle potential violations of the HIPAA Privacy Rule[1]. According to OCR, Elite is a privately owned dental practice in Dallas, Texas, providing general, implant, and cosmetic dentistry.
On June 5, 2016, OCR received a complaint from an Elite patient alleging that Elite had responded to a Yelp! review by disclosing the patient’s last name and details of the patient’s health condition. OCR’s investigation found that Elite had impermissibly disclosed the protected health information (PHI) of multiple patients in response to patient reviews on its Yelp! review page. Additionally, Elite did not have a policy and procedure regarding disclosures of PHI to ensure its social media interactions protected the PHI of its patients or a Notice of Privacy Practices that complied with the HIPAA Privacy Rule. OCR accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.
This settlement is a reminder to all covered entities subject to the HIPAA Privacy Rule that PHI of your patients cannot be disclosed through social media. Health care providers cannot respond to social media posts and other reviews in a manner that would disclose patient PHI. As OCR Director Roger Severino noted in an HHS press release, “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”
The OCR resolution agreement is available here.
[1] 45 CFR Part 160 and Subparts A and E of Part 164.